

PROGRAM PROTECTION NEWSLETTER 
A. K. A. 

THE PHANTOMS NEWSLETTER 
S EPT. 198 4 


WHAT IS A PROGRAM PROTECTION NEWSLETTER? 

It is a monthly newsletter that will deal with program protection 
schemes of all types. Each month will cover 3 to 5 specific 
examples o-f different program protection schemes. Some will be . 
very easy schemes, others may be very difficult. Some issues will 
cover word processors, data bases, spread sheets and games. Many 
different programs will be selected and each will be fully 
explained as to their type of protection. 

Each program example used will be for illustrative purposes only. 

It is not the intention of this newsletter to promote or encourage 
illegal or unauthorized duplication of any copyrighted program. 

WHY WOULD ANYBODY NEED A PROGRAM PROTECTION NEWSLETTER? 

Many programs have a very sophisticated protection scheme and can 
not be used on sons disk drives <MSD, 4040, E.0S0 eto.). Other 
programs use errors on the disk that can be very harmful to the 
disk drive. Many other people just prefer to use one disk for all 
their programs of one specific type (i.e. utilities . 

You are allowed to make an ARCHIVAL copy of any program that you 
have purchased. Some protection schemes do not allow the program 
to be directly backed up. They may require the use o 
sophisticated copy programs or extensive knowledge of MACHINE 

understand. In either case the average user may not be 
archival copy of his valued programs. 
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Another group of people just want to know more about 
computer and its associated components. They want to know how 
programs are protected and how their machine operates. They want 
to know how to modify their own disks and how to protect their own 

programs. 


What ever reason you have for wanting to learn about program 
protection this newsletter is for you! 


PASS THIS COUPON ON TO YOUR FRIENDS WHO WISH TO LEARN MORE ABOUT 
PROGRAM PROTECTION SCHEMES. 


SUBSCRIPTION PRICE *35.00 POST PAID IN U.S. (*40.00 FOREIGN) 

NAME. 

ADDRESS . 

CITY,STATE,ZIP. 


SEND TO« 

C. S. M. SOFTWARE 
P. 0. BOX 563 
CROWN POINT, IN. 46307 
219-663-4335 










The -first program to be examined this month has an extremely interesting 
program protection scheme. This program has been di-f-ficult to copy due the 
type o-f error scheme used. 

The program is LODE RUNNER (C) 198-. BY BRODERBUND 

TYPE OF PROTECTION: The three main programs are stored on the disk in 
program -files. The boot program (LR) is written in BASIC. This program will 
poke a ML program into the screen memory and execute the ML program. The 
reason that you do not see any ML program on the screen is that.the screen 
color (line 100) has been set to black and the character color ram also has 
been set to black in line 1070. This ML routine contained in screen memory 
will load the other two programs -from the disk then jump to the proper 
entry point of the main program. The main program (IT) contains the program 
protection scheme. I-f you use your ML monitor to examine the main program 
you will -find that the program has two areas in memory where the KERNAL 
calls and ’Ul’ reside <*723E and SBEB6). Keep in mind that the program 
contains a game generator that allows you to make your own screens and that 
the program also contains many di-f-ferent screens stored on the disk. The 
different screens that are stored on the disk do not appear in the 
directory. This means that they are loaded in from the disk from user 
files. Hence, it would appear that one area of the program will be used to 
check the protection scheme and the other area will be used to load and 
save the various screens that the program uses. 

HOW TO COPY THE PROGRAM 

Due to the combination of errors on the disk, the program may be difficult 
to copy with the normal means. The error combination may be duplicated with 
some difficulty by simply copying the disk and placing the correct errors 
on the copy disk. The program may also be copied by many of the better 
nibble copy programs. 

A word on nibble copy programs is in order. The term nibble copy comes from 
the copy programs that are used on the APPLE (R) computer. A nibble is 1/2 

of a byte or four bits. These copy programs will copy the disk four bits at 

a time, making an exact copy of the source disk. While the copy programs 

for the 1541 do not actually copy four bits at a time, the name for some of 

the better copy programs has carried over. 

HOW TO MAKE A WORKING COPY WITHOUT ANY ERRORS ON THE DISK 

The techniques used on this program are described in pages 50-60 and in 
pages 71-79. Plus, a new twist will be introduced in this protection 
scheme. You will be able to apply the information contained here on many 
different programs. 

1. Copy the original disk with any good copy program that will not place 
any errors on the destination disk. Load the directory and make a note of 
how long each program is. 

2. Load and execute the HIMDN. Fill the memory from *0800 to *BFFF with 
*00. This will erase any random memory from the computer. Load the program 
called IT from the copy disk. This is the program that contains the 
protection scheme. Use the H command to hunt for the 'Ul' and the KERNAL 
calls. Write down the locations of the Ul for future reference (*723C ?< 
*8EB6) . 
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3. Keep in mind that program called IT was 89 blocks long. Use your 
monitor to -find the beginning of the program (*6000). Roughly calculate the 
ending address o-f the program (4 blocks = IK) and you will -find that the 
program should end between *8000 and *0000. In order to -find the exact 
ending address o-f the program it will be necessary to turn o-f the BASIC 
interpreter and examine the RAM that underlies BASIC. To do this use the M 
command o-f your monitor. 

.M 0000 (RETURN) 

.s 0000 2F 37 CO 3E 32 0C C3 00 


Change the *37 contained at location *0001 to *36. This will turn o-f-f the 
BASIC interpreter and allow you to examine the RAM that underlies that area 
o-f memory. 

4. Again use the H command to hunt through memory -for the ’Ul' and the 
KERNAL calls. Verify that there is not any other area of memory that 
contains KERNAL calls. Now it will be necessary to examine each part of 
memory where the kernal calls reside. Use the I command to examine memory 
in the general location of where the U1 resides (*7000-*7400 and 
*8DOO-*8FFF). It will be necessary to rule out one area of memory as the 
screen loader and concentrate on the other area of memory as the protection 
scheme. The USER (Ul) at *8EB6 points to the area of the disk where the 
errors reside (Track 1) so let’s concentrate on this area as the protection 
scheme. 

5. Disassemble the code in this area and comment it fully in order to 
better help you understand the logic of the program. 

6. The code starting at *BE44 appears to a program protection scheme (see 
page 60 P.P.M.) except for the comparison and branch instructions. This 
code only checks the error channel and stores the error code returned from 
the disk drive in memory (*BE8D TO *8E9A). Once the error codes are stored 
in memory (from *BE3C to *8E43> the program will execute. The main program 
will check memory to see if the proper errors were found and stored in 
memory. If the proper errors were not found, the program will not operate 
properly. Now that you have a better idea of the protection scheme let’s 
get to work! 

7. This program uses both PROGRAM and USER files on the same disk. It 
will be necessary to take extra precautions when saving the code to the 
copy disk. It will be necessary to allocate the entire BAM and then scratch 
the file IT from the copy disk. This way when you save the modified code 
out to the disk there will not be any chance of over-writting any USER 
file. To allocate the BAM it will be necessary to use a TRACK and SECTOR 
editor (DISK DR, etc.). Fill the BAM will 00’s (bytes 4 thru 143, tr 18, se 
0). Then exit the TRACK and SECTOR editor. Scratch the file IT from the 
disk (0PEN15,8,15,"SO:IT"). Due to the many user files on the disk do not 
save any other programs on this disk. 
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8. Load and execute the original program normally. After the program is' 
in memory and running, RESET the computer. Load and execute the HIMON. Turn 
off SASIC (as described above) and examine the code from *8E3B to *8EA0. 
otice that the program stored the specific error code in mentor/ that the 

' teEl^as^Cnows.^ <lDCati ° nS 8E3C to 8E43) * Change the code at *BE92 to 

8E92 EA NOP 

8E93 EA NOP 

BE94 EA NOP 

8E95 20 CF FF JSR *FFCF 

! BE9B EA NOP 

BE99 EA NOP 

8E9A EA NOP 

I 


i 9. Save the code back to the the copy disk, 
j S "@0:IT",08,6000,B800 RETURN 

10. YOU'RE DONE Remember what you did here, you may run into similiar 

schemes!! 
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The next program to be covered ie one that was has eluded many people -for a 
long time. The error scheme used is very diffiluclt duplicate exactly. The 
program was a little tougher to break than most. I broke this program the 
day it arrived. 

The program is UNGRARD (C) 1983 BY MICRO-WARE 

TYPE OF PROTECTION: The disk uses multiple errors on one track. When the 
track is checked with the 'Ul' command a specific type of error is 
returned. The program also uses a ML DOS (Disk Operating System! routine to 
check for the proper errors. When the ML DOS routine find the proper 
error(s) (as on the original) it will store a value in an unused memory 
location of the disk drive. If the error is not present the ML DOS routine 
will place another value in this memory location of the drive. When the 
main program executes, it will use the value stored in the disk drive as a 
check to see if the disk was the original or not. 

The way to tell if a program was using any values stored in the disk drive 
is to use two disk drives. Hook up one drive at this time. 

1) . Load and execute the program. Use the program to verify the proper 
operation on the program. 

2) . Once you have verified that all the functions of the program operate 
properly then turn the power on to the second drive. Carefully disconnect 
the serial bus from the first drive and connect it to second drive. Do not 
turn off the power to the first drive. 

3) . Use the program and verify that the program does NOT operate as 
expected. If any values were stored in the disk drive the program will not 
operate properly. 

4) . Carefully hook the serial bus back up to the first drive and use the 
program. This will confirm that the program actually stored some data in 
the disk drive that was necessary for the proper operation. 

HOW TO COPY: Some of the newer (and better) 'nibble’ copy programs will 
successfully this program. 

HOW TO MAKE A WORKING COPY WITHOUT ANY ERRORS ON THE DISK. 

The main part of this program is written in BASIC. There is also ML code 
stored from *C000 to *D000. This ML code is the error generating routine(s) 
that will be stored in the disk drive to actually do the error generating. 
In examining this code it becomes apparent that each error generating 
routine will do an EXCLUSIVE OR (EOR) with memory location *14 (decimal 

20). This is the location where the proper value was stored in disk drives 

memory. By simply loading and executing the program one may obtain the 
proper value that was placed in the disk drive's memory. After the program 
is up and running disconnect the serial bus, turn off the computer. Then do 
a memory read (M-R) of the desired location (20 decimal). The value 
returned (220 decimal) is the key to making this program work. 

1) . Load and execute the main program. After it is up and running RESET 
your computer. 

2) . LOAD "RESTORE", 8,1 RETURN Then SYS525iCLR (use the program 

UNNEW if you wish) 

3) . You may now list the BASIC portion of the program. Delete line 132, 

this is the routine that loads the ML code at *C000 and checks for the 

proper errors. 
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Add the -following lines o-f code to the beginning of the program: 


10 IF A THEN 30 
20 A=1:L0AD“C0 DO",8,1 
30 0PEN15,8,15 

40 PRINT415,"M-W"jCHR*(20)CHR*(00)CHR*(1)CHR*(220) 

50 CLOSE 15 

Line 10 is a trap to load in the code -from *C000 to *D000. 

Line 20 sets the trap and loads the code. 

Line 30 opens the error/command channel to the drive. 

Line 40 stores the proper value in the disk drive at the proper location, 
line 50 closes the error/command channel. 

5) . Save the modified program out to a newly formatted disk. 

6) . Load and execute the L0M0N. (ML monitor residing at 32768). 

7) . Save the code from *0000 to *D000 on the same disk as you saved the 
modified program to. 

S "CO DO",08, C000,D000 

B). YOU'RE DONE - More and more it is becomming necessary to look in 

the drive for data. 





The program is THE HEIST, COPYRIGHT 1984 MIKE LIVESAY COMPUTER GAMES 
INC. 

TYPE OF PROTECTION: This program checks track 18 sector 18 -for an error 
23 CHECKSUM ERROR IN DATA. If this error is present, the program will 
run properly. 

HOW TO COPY: Copy the disk with any good copy program and place the 
error 23 on the disk at 18/18. You may also use a nibble copy program 
and let it put the errors on -for you. 

HOW TO MAKE A WORKING COPY WITHOUT ERRORS ON THE DISK. 

The technique used on this program is similar to the techniques 
described on pages 50 - SO of the Program Protection Manual. 

1) . File copy the HEIST and HEIST.OBJ files to a disk without errors. 

2) . LOAD and execute HIMON (a ML monitor residing at 49152—*C000). Fill 
memory from 0800 to 9FFF with 00’s. This will make it easy to locate 
the beginnning and ending addresses of the program. Finding the 
starting address is explained in the P.P.M on Page 35. Load 

“HEIST.OBJ". The code is located in memory from *0800 to *7FFF. Using 
the ’I’ command of your ML monitor, you can easily find the ending 
address. Using the 'H’ (hunt) command, you will find the “Ul" located 
at *23BA (Ul:5,0, 18,18). If you scroll up to S237E, you will find the 
CMP #*32. Also, located at *2385, you will find the CMP #*33. Change 
these locations to CMP #*30 and the program will run properly without 
any errors on the disk. CAUTION: You must change both locations. This 
program checks for a specific error, not just any error. 

3) . Save the code out to the copy disk. 

S “©0:HE IST. OBJ",08,0800,7FFF 


4). YOU’RE DONE 
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The program is PHAROAH'S CURSE, COPYRIGHT 1983 SYNAPSE SOFTWARE 

TYPE OF PROTECTIONi This program is stored on the disk in user files. 
Once in memory, the program checks for errors on track 4 sector 11 and 
track 17 sector 01 for error 23 CHECKSUM ERROR IN DATA. If these errors 
are present, the program will run. Tracks 19 through 35 contain error 
21, but these are not checked by the program. 

HOW TO COPYi Copy the disk with any good copy program and place the 
errors on the disk at 04/11 and 17/01. You may also use a nibble copy 
program and let it put the errors on for you. 

HOW TO MAKE A WORKING COPY WITHOUT ERRORS ON THE DISK. 

The technique used on this program is similar to the techniques 

described on pages 76 and 77 of the Program Protection Manual. 

1) . LOAD and RUN the original program. During the load, the screen will 

go through a series of color changes. When the screen stops on Orange, 
the program will read the error channel. Immediately after, the screen 
will turn to Cyan. RESET the computer at this point (page 45 of 
P.P.M.). If you are unsure of what color you are looking for, use these 

POKES in direct mode, POKE 53281,3iPOKE 53280,3. This will turn your 

screen to cyan. If you get into the option screen, your RESET was too 
late and your computer will not RESET properly. If you RESET in the 
proper spot, you will have a normal RESET. 

2) . LOAD and execute HIMON. Go to location *0001 and change the 37 to 
36. This will flip out the BASIC interpreter, allowing you to save out 
the code stored there. This code is necessary for the program to 
function properly. 

3) . Save the code from 0800 to C000. (EX. S "PHARO",08,0800,C000) 

4) . Load “PHARD",8,1 RETURN 

SYS3756 RETURN 

The SYS 3756 will take you to the code at HEX OEAC. This ML code 
changes the screen to CYAN, as you saw in our POKE test. Locating the 
proper entry point is the most difficult part of the process. One of 
the first places to start is a HUNT for a STA at *D021 and D020. You 
will find this explained on page 78 of the P.P.M. 

OEAC A9 03 LDA *#03 

OEAE 8D 20 DO STA *D020 (DECIMAL 53280 BORDER COLOR) 

OEB1 8D 21 DO STA *D021 (DECIMAL 53281 SCREEN COLOR) 

Remember that after the program checked the disk and found the error, 
the screen turned CYAN. All you had to do was to find the ML code that 
turned the screen CYAN (*0EAC) and use this location as the new entry 
point for the program (SYS 3756). 

5) . YOU'RE DONE 
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